Documentation on the Windows Vista and Windows Server 2008 Security Events

I'm hearing lots of complaints that we don't have KB articles on these yet.  Doriansoft has a blog post complaining that the "add 4096" rule doesn't work because we collapsed the logon events into a single success event and failure event (from 2 success events [528, 540] and 10 failure events [529-537, 539]).

Well, In Vista and beyond the event log is self-documenting.  From an elevated command prompt (one with admin privileges), type the following:

wevtutil gp Microsoft-Windows-Security-Auditing /ge /gm:true

This example dumps only the 360 or so unique security event messages (publisher=Microsoft-Windows-Security-Auditing); other publishers can be enumerated with the ep switch of wevtutil.

Event messages can be formatted as XML using the /f switch, see the command-line help.

As a side note, this is, in slightly different format, the same information we publish in the KB, and a KB article is in the works.

Why did we renumber the events?  As explained in my earlier post, we changed the internal detail of each event so much (to improve understandability, readability, consistency, etc.) that we would have broken essentially all existing automation anyway.  By renumbering the events we made the automation break in as obvious a way as possible, and also made it as clear as possible that THESE ARE DIFFERENT EVENTS.

The "add 4096" rule is not meant to imply that the events are the same, but rather allows you to find the new equivalent event, if you have knowledge of the old event.  Simply renumbering your automation will not make it work.  It's a mental aid for you, the Windows security professional.

[2007-10-12 Update: changed tags]

Comments

• Anonymous
  July 31, 2007
  PingBack from http://www.universityupdate.com/Technology/Microsoft_Windows/4238979.aspx

• Anonymous
  June 10, 2009
  I've written twice ( here and here ) about the relationship between the "old" event IDs (5xx-6xx) in

• Anonymous
  October 12, 2010
  Eric Fitzgerald, How come there is no documentation about why following 4 Windows Vista and Windows Server 2008 Security Events do not show the real "USER ID" who actually perfomed the action. This issue didn't occur on Windows 2003 systems. I thought Windows 2008 Security Event Log was changed significantly to to improve understandability, readability, consistency etc. Please advice. Event_ID – 4739 Domain policy changed – not able to get user ID taking the negative action, Is available in Windows 2003. Event_ID – 4719 Audit policy changed – not able to get user ID taking the negative action, Is available in Windows 2003. Event_ID – 4704 User right assigned – not able to get user ID taking the negative action, Is available in Windows 2003. Event_ID – 4717 System security access granted – not able to get user ID taking the negative action, Is available in Windows 2003.

• Anonymous
  October 12, 2010
  Hi Ketan, This issue is under investigation.  I don't have more information at this time. Thanks, Eric